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ARCHITECTURE FOR VIRTUAL PRIVATE NETWORKS 
BACKGROUND OF THE INVENTION 

1. Related Information 

The present invention is related to the one described in copending U.S. Patent 
Application entitled "An Apparatus for Implementing Virtual Private Networks." 
Serial No. 08/874,091 [Attomcy Docket No. 20155-702], assigned to the assignee of 
the present application and filed concurrently herewith. 

2. Field of the Invention 
The present mvention relates to the field of data conmiunications. More 

particularly, the present invention relates to techniques for implementing secure 
virtual private networks over public or otherwise insecure data communications 
infrastructures. 

3. Background 

In recent years organizations have come to rely heavily on the ability to 
1 5 transmit electronic data between members of the organization. Such data typically 
includes electronic mail and file sharing or file transfer. In a centralized, single site 
organization, these transfers of electronic data are most conmionly facilitated by a 
local area network (LAN) installed and operated by the particular enterprise. 

Preventing unauthorized access to data traversing an enterprise's LAN is 
20 relatively straightforward. This applies to botii unautiiorized accesses by members of 
the enterprise and, more importantly, to third parties on tiie outside. As long as 
imeiligem network management is maintained, unauthorized accesses to data 
traversing an enterprise's internal LAN are relatively easily avoided. It is when the 
enterprise spans multiple sites that security tiireats from the outside become a major 
25 concern. 

For distributed enterprises that desire tiie conveniences of die above-described 
electronic data transfers, there are several options tiiat exist today, but each with 
associated disadvantages. The first option is to interconnect die offices or various 
sites with dedicated, or private communications connections often referred to as 
leased lines. This is tfie traditional mctiiod organizations use to implement a wide 
area network (WAN). The disadvantages of implementing an enterprise owned and 
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controlled WAN are obvious: they are expensive, cumbersome and frequentl}' 
underutilized if they are established to handle the peak capacity requirements of the 
enterprise. The obvious advantage to this approach is that the lines are dedicated for 
use by the enterprise and are therefore secure, or reasonably secure, from 
S eavesdropping or tampering by intermediate third parties. 

An alternative to the use of dedicated communications lines in a wide area 
network is for an enterprise to handle intersite data distributions over the emerging 
public network space. Over recent years, the Internet has transitioned from being 
primarily a tool for scientists and academics to a meehflniyrri for global 

1 0 communications with broad ranging business implications. The Internet provides 
electronic communications paths between millions of computers by interconnecting 
the various networks upon v/tiich those computers reside. It has become 
commonplace, even routine, for enterprises, even those in nontechnical fields, to 
provide Internet access to at least some portion of the computers within the enterprise. 

1 5 For many businesses this facilitates communications with customers, potential 
business parmers as well as the distributed members of the organization. 

Distributed enterprises have found that the Internet is a convenient tool to 
provide electronic communications between members of the enterprise. For example, 
two remote sites within the enterprise may each connect to the Internet through a local 

20 Internet Service Provider (ISP). This enables the various members of the enterprise lo 
communicate with other sites on the Intemet including those within their own 
organization. The limiting disadvantage of using the Intcmct for intra-enterprise 
communications is that the Intemet is a public network space. The route by which 
data conununication travel from point to point can vary on a per packet basis, and is 

25 essentially indeterminate. Further, the data protocols for transmitting information 
over the various networics of the Intemet are widely known, and leave electronic 
communications susceptible to interception and eavesdropping with packets being 
replicated at most intermediate hops. An even greater concern arises when it is 
realized that communications can be modified in transit or even initiated by 

30 imposiors. With these disconcerting risks, most enterprises are unwilling to subject 
their propnetary and confidential internal communications to the exposure of the 
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public network space. For many organizations it is common today to not only have 
Internet access provided at each site, but also to maintain the existing dedicated 
communications paths for internal enterprise conmiunications, with all of the 
attendant disadvantages described above. 
5 While various encryption and other protection mechanisms have been 

developed for data communications, none completely and adequately addresses the 
concerns raised for allowing an enterprise to truly rely on the public network space for 
secure intra-enterprise data communications. It would be desirable, and is therefore 
an object of the present invention to provide such mechanisms which would allow the 

1 0 distributed enterprise to rely solely on the public network space for intra-enterprise 
communications without concern for security risks that presently exist. 

SUMMARY OF THE INVENTION 
From the foregoing it can be seen that it would be desirable and advantageous 
to develop protocols and architecture to allow a single organization or enterprise to 

1 5 rely on the pubUc network space for secure intraorganizational electronic data 
communications. The present invention is thus directed toward the protocols and 
architecture for implementing secure vhtual private networks over the Internet or 
other public network systems. The architecture of the present invention introduces a 
site protector or virtual private network (VPN) imit v^ch moderates data 

20 communications between members of a defined VPN group. In accordance with one 
embodiment of the present invention, the site protector resides on the WAN side of 
the site s router or routing apparatus vMch is used to connea the enterprise site to the 
Internet. In alternative embodiments, the site protector will reside on the LAN side of 
the rouier. The essential point for all embodiments is that the site protector be in the 

25 path of all relevant data trafiBc. 

To ensure secure data communications between members of the same VPN 
group, the site protector or VPN unit implements a combination of techniques for data 
packet handling when packets are to be sent between members of the group. Tlie 
packet handling processes include various combinations of compression, encryption 

30 and authentication, the rules for each of which may vary for members of different 
groups. For each group defined as a virtual private network, the various parameters 
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defining the compression, encryption and authentication are maintained in lookup 
tables in the associated VPN units. The lookup tables maintain information not oni>' 
for fixed address members of the group but support is also provided for remote 
clients. This ability allows remote users to dial mto a local Internet Service Provider 
5 and still maintain membership in a virtual private network group for secure 

communications over the Internet with other members of the group. In the case of a 
remote chent, the site protector may, in one embodiment, be simulated by software 
running on the remote client. 

In other aspects of the present invention, the VPN units or site protectors may 

1 0 be dynamically configured to add or subtract members firom the virtual private 

network group or recognize their movement, or change other parameters affecting the 
group. Various other packet handling aspects of the invention include addressing the 
problem of some data packets growing too large by the inclusion of encryption and 
authentication information. Another packet handling aspect provides a mechanism for 

1 5 Internet communications which hides information identifying the source and 

destination of the data packet In this aspect of the present invention, the VPN units 
are treated as the source and destination for the Internet communication data packets 
with the VPN units encapsulating the source and destination addresses of the 
endstations. 

20 BRIEF DESCRIPTION OF THE DRAWINGS 

The objects, features and advantages of the present invention will be apparent 
from the following detailed description, in which: 

Figure 1 illustrates a prior art configuration for an exemplary enterprise's 
intraenterprise communication architecture. 
25 Figure 2 illustrates an enterprise communication scenario in accordance with 

the present invention utilizing the Internet or other public network space as the vehicle 
for conveying messages between members of a virtual private network. 

Figure 3 illustrates a flow diagram for the handling of a packet being 
transmitted from one member of a virtual private network group to another member 
30 over the Internet. 
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Figure 4 illustrates the handling of a data packet received over the Internet b} 
one member of a virtual private network group from another member. 

Figure 5 illustrates graphically the life cycle of a data packet being sent from 
one member of a virtual private network group to another over the Internet. 
S Figure 6 illustrates an alternate life cycle of a data packet being sent from one 

member of a virtual private network group to another over the Internet where the 
source and destination addresses of the grotip members are also concealed. 

DETAILED DESCRIPTION OF THE INVENTION 
Protocols and an architecture are disclosed for implementing secure virtual 

1 0 private networics for enterprise communications over the Internet or other public 

network space. Althou^ the present invention is described predominantly in terms of 
utilizing the Intemet as a communications mediim, the concepts and methods are 
broad enough to accomplish the implementation of secure virtual private networks 
over other public or insecure communications media. Throughout this detailed 

1 5 description, numerous specific details are set forth such as particular encryption or key 
management protocols, in order to provide a thorough understanding of the present 
invention. To one skilled in the art, however, it will be understood that the present 
invention may be practiced without such specific details. In otfier instances, well- 
known control structures and system components have not been shown in detail in 

20 order not to obscure the present invention. 

In many instances, components implemented by the present invention are 
described at an architectural, functional level. Many of the elements may be 
configured using well-known smictures, particularly those designated as relatmg to 
various compression or encryption techniques. Additionally, for logic to be included 

2:j within the system of the present invention, functionality and flow diagrams are 
described in such a manner that those of ordinary skill in the art will be able to 
implement the particular methods without undue experimentation. It should also be 
understood that the techniques of the present invention may be implemented using a 
variet>' of technologies. For example, the virtual private network unit or site protector 

30 to be described further herein may be implemented in software running on a computer 
system, or implemented in hardware utilizing either a combination of microprocessors 
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or other specially designed application specific integrated circuits, programmable 
logic devices, or various combinations tfiereof. It will be understood by those skilled 
in the art that the present invention is not limited to any one particular implemenution 
technique and those of ordinary skill in the art, once the functionality to be carried out 
5 by such components is^described, will be able to implement the invention with various 
technologies without undue experimentation. 

Referring now to Figure 1 there is shown a traditional scenario for intra- 
enterprise data communications for a distributed organization. In this illustration of 
an exemplary organization configuration, the enterprise consists of a headquaners 

10 location 105 with additional sites or branches llOand 112, respectively. In modem 
organizations, such as the exemplar>' one of Figure I , the headquarters' site 1 OS as 
well as the branch sites 1 10 and 1 12 may each comprise numerous personnel, many of . 
whom are provided with computers or work stations with network access. The 
internal network configurations at the headquarters for branches may take many fomis 

1 5 including one or several local area networks (LANs). For intersite communications 
between headquarters and the branches, dedicated or leased communications lines 1 15 
and 120 may be provided. In addition, an optional dedicated conununications path 
12S may be provided between the branches 110 and 1 12. As an alternative to the 
optional dedicated conununications line 125 between the branches, data packets 

20 between branch 1 10 and branch 1 12 may be routed through the headquarters' network 
equipment. 

In addition to the dedicated communications lines between the headquarters 
and the various branches, it is common today to provide computer users within an 
organization access to the Internet for electronic mail to external parties as well as for 

25 doing various types of research over the Intemet using such tools as the Worid Wide 
Web. etc. As shown in Figure 1, the usual scenario where the headquarters' site 105 
and the branches 1 10 and 1 12 are each separately provided with direct access to 
Intemet Seivice Providers 130, 133 and 136, respectively. This facilities the users at 
the various sites with their access to the Intemet for the above purposes. In an 

30 alternate configuration, it may be that only the headquarters site 105 is provided with 
access to an Intemet service provider 130 and that users of the computers of the 
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branch sites 110 and 112 will connect to the Internet through headquarters via their 
dedicated communications paths 1 1 5 and 120. The downside to this alternate 
configuration is that it greatly increases the bandwidth utilization on the dedicated 
lines, periiaps to the point of saturation. An advantage is that only one gateway to the 
5 Internet need be provided for the organization which simplifies enforcing securit\ 
constraints on connections to the outside world. 

In the exemplary organization 100, it is also shown that in some circumstances 
it may be desirable to allow customers or other business parmers to dial in directly to 
the computer networlc of tiie organization. In Figure 1 it is illustrated that the 
1 0 customer 1 40 may in &ct carry out such commimications over a conununications path 
1 45 which may be a dedicated line provided between the customer and the 
organization for the customer's convenience. The path 145 may also be a dial-up line 
which the customer might use only sporadically. Consistent with the emerging use of 
the Internet and its popularity, the customer 140 is shown having its own Intemet 
1 5 connection through ISP 1 48. 

Finally, there is shown in Figure 1 that it is frequently desunble for other 
members of the enterprise who may be on the road or woridng from home or other 
remote locations to exchange data with other members of the enterprise. There is thus 
shown remote clients 150 and 155 coiimiunicating with the headquarters over long 
20 distance telephone lines 157 and 158. This example assumes that the remote clients 
are in a truly remote location from the headquarters. The remote clients 1 50 and 1 55 
are also respectively shown having local access to the Intemet through local ISPs 160 
and 165. 

The above description of an enterprises data communications configuration 
25 according to Figure 1 illustrates the disadvantages described in the previous section. 
These disadvantages are eliminated by implementation of the present invention as 
illustrated generally with reference to Figure 2. In the enterprise network 
communication configuration 200 illustrated in Figure 2, the headquarters 105, first 
branch 1 1 0 and second branch 1 12 of the organization are illustrated in a more 
30 detailed logical way then presented in Figure 1 . Thus, the headquarters 105 is 
illustrated with three endstations 201, 202 and 203, respectively coupled to 
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communicate data packets over local area network-CLAN) 205. Likewise^ the branch 
site 11 0 is shoMfn having a plurality of endstadons 21 1 , 212 and 213 respectively 
coupled to communicate data locally over LAN 215. Finally, the second branch site 
1 12 is shown with an illustxative set of compiter stations 221, 222 and 223 connected 
5 to communicate over LAN 225. The customer site 140 is also illustrated in Figure 2 
as comprising of plurality of computers illustrated by 33 1 and 332 coupled to 
communicate over the customer's LAN 235. The local area networks utilized for data 
communications within the headquarters, customer and branch sites may adhere to a 
wide variety of network protocols, the most common of which are Ethernet and Token 
10 Ring. 

As can be seen in Figure 2, the dedicated communications lines between the 
headquarters site 105 and the branch sites 1 10 and 112 as well as between the 
headquarters site 105 and the customers site 140 have been eliminated. Instead, in 
accordance with the present invention data communications between members of the 

1 S organization are intended to be carried out over the Internet or other public network 
space. For purposes of the present invention, it will be assumed that it is the widely 
emerging Internet that will be the medium for data packet transfers between members 
of the organization. 

Each of the LANs for the particular sites illustrated in Figure 2 ultimately 

20 interconnect to the Intemet 250 through an associated routing or gateway device 
which are identified as routers 240, 242, 244 and 246, respectively. It is to be 
understood that data packets conveyed between a various sites illustrated in 200 
would traverse, in many cases, a plurality of additional routing devices on their way 
between the source and destination sites for the packets. The mechanisms for data 

25 packet transfers over the Intemet are well known and are not described in great detail 
herein. It is understood that data packets are assembled in accordance with the 
Intemet Protocol (IP) and are referred to herein as IP packets regardless of the version 
of the Internet protocol presently in effect. In the case of the remote clients 1 50 and 
1 55 illustrated in Figure 2 it is understood that they utilize communication software to 

30 dial up a local Intemet service provider vAnch itself provides the gateways necessary 
for communications over the Intemet 250. 
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As has been described above, prior efforts to utilize the Internet for secure data 
conununicaiions have required an awareness or implementation of security 
considerations at the endstations; This is disadvantageous when transparency to an 
end user is desirable. The present invention, on the other hand is transparent to end 
5 users with data communications over the Internet occurring exactly as they appear to 
have before. However, for users identified as members of the same virtual private 
network, data conununications are handled in a manner that assures the security and 
integrity of the data packets. Illustrated in Figure 2, between the Internet 250 and 
each of the respective routere 240, 242, 244 and 246, arc Virtual Private Network 

1 0 Units (VPNUs) 250, 252, 254 and 256. In accordance with the particular illustrated 
embodiment of the present invention, the VPNUs reside between a site's router and 
the path to the Internet It should be understood that this placement of VPN units in 
the overall system architecture represoits only one placement choice. It will be clear 
from the materials that follow that the key pomt with respect to VPNU placement is 

1 5 that they reside in the path of data traffic. In many embodiments, it may in fact prove 
desirable to situate the VPNU on the LAN side of a site's router. As will be described 
in more detail below, tfxe VPN units maintain lookup tables for identifying members 
of specific virtual private network groups. 

When a data packet is sent between source and destination addresses that are 

20 both members of the same VPN group, the VPNU will process the data packet from 
the sending side in such a way as to ensure that it encrypted, authenticated and 
optionally compressed. Likewise, the VPNU servicing the site where the destination 
address is located will detect that a packet is being propagated between members of 
the same VPN group. The receiving VPNU will handle the process of decrypting and 

25 authenticating the packet before forwarding it toward the destination endstation. In 
this way. secure data communications between end users is effected in a manner that 
is transparent to the end users. In the case of remote clients 1 50 and 155, the VPNU 
may be simulated in software which operates in conjunction with the communication 
software for connecting the remote client to the associated local Internet service 

30 provider. 
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The functionality of the VPN units will be described with reference to the 
following figures beginning with the flowchart of Figure 3. When a data packet 
originates from an endstation, such as ehdstation 202 of LAN 205 at site 1 05, and its 
destination is to a remote site, other than the headquarters site 1 0S» it will initially be 
5 treated as an ordmary Internet data packet transfer. The packet will proceed from the 
endstation 202 over the LAN 205 to the routing device 240 which will encapsulate the 
data packet in accordance with the Internet Protocol, foiming an outbound IP packet. 
On its way out of the site, the IP packet will pass through the associated VPN unit for 
the site. The flowchart illustrated at Figure 3 shows the functional operation of a VPN 

1 0 unit for an outbound packet that is received thereby. The Transmit Packet procedure 
300 begins when the outbound data packet is received at the VPNU at step 3 1 0. At 
decision box 320, it is detennined i^ether or not the source and destination addresses 
for the data packet are both members of the same VPN group. This determination 
may be made with reference to lookup tables that are maintained by the VPN units or 

1 5 reference to other memory mechanisms. This step may be thought of as member 
filtering for data packets being transmitted between the particular site and the VPN 
unit which services it. If the source and destination address for the data packet are not 
both members of the same VPN group, then at step 330 the packet is forwarded to the 
Internet as ordinary Internet traffic from the site as though the VPNU were not 

20 involved. In which case, the procedure ends at step 335. In one alternative 

emboduneni, it may be desirable to discard data traffic that is not destined between 
members of a VPN group rather than forwarding it as unsecure traffic. In another 
alternative embodiment, it may be desirable to provide the option to either pass or 
discard non- VPN-group data traffic. 

-5 at decision box 320, the member filter, it is determined that both the source 

and destination addresses for the data packet are members of the same VPN group, 
then the data packet is processed at step 340 undergoing various combinations of 
compression, encryption and authentication. The lookup tables maintained by the 
VPN unit 250 and all of the VPN units, in addition to identifying members of 

30 panicular VPN groups, also identify whether or not data packets transferred between 
members of the particular VPN group are to be compressed and if so, what algorithm 
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is to be used for conqmssion. Many possible compression algorithms are well- 
known, but in one embodiment of the invention, LZW compression is implemented. 
The lookup table for the VPN group of which the source and destination addresses arc 
members also identifies the particular encryption algorithm to be used for data packets 
5 traversing the Internet for that VPN group as well as the authentication and ke}' 
management protocol information to be used thereby. As an alternative to lookup 
tables, the VPNU may be progranuned to always use the same algorithms for all VPN 
groups. 

The particular packet processing algoritiuns to be used for VPN traffic may 

1 0 vary, so long as the lookup tables in botii the sending and receiving VPN units 

identify the same compression, encryption and authentication rules and are capable of 
implementing and deimplementing them for members of the same group. It is to be 
understood that a single VPNU may serve multiple VPN groups and that panicular 
addresses may be members of multiple groups. Thus, at step 340, when a packet is 

1 5 destined from one member of the VPN group to another, the packet is processed 
according to the compression, encryption and authentication rules identified in the 
VPNU tables for tiuu particular VPN group. Then, at step 350, tiie processed packet 
is forwarded toward the destination address over the Internet. The procedure of the 
sending VPN unit tiien ends at step 355. 

20 The receiving VPNU reverses tiie above processes for VPN traffic as 

illustrated by the flowchart of Figure 4. The Receive Packet procedure 400 begins at 
step 4 1 0 when an inbound data packet is received from tiie Internet at the receiving 
VPN unit. At decision box 420, tiie inbound data packet is exantined to determine if 
the source and destination addresses of the data packet are botii members of ttie same 

25 VPN group. It is assumed tfiat tiie lookup tables maintained by all of tiie VPN units 
are both consistent and coherent If tiie inbound data packet is deiennined not to be 
VPN traffic, tiien the packet is passed tiu-ough and forwarded to tiie receiving site as 
though it were normal Internet data ttaffic at step 430. In which case tfie process ends 
at step 435. In one alternative embodiment, it may be desirable to discard incoming 

30 data traffic tiiat is not from an identified member of a VPN group supported by tiic 
VPNU. 
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For data packets that are detenmned to be VPN traffic at decision box 420. the 
VPN unit will process the inbound packet to recover the original data packet as it was 
provided from the source mdstation. The lookup table maintained by the receiving 
VPN unit will identify the compressiont encryption and authentication rules used for 
5 the VPN ffoup and reconstruct the original IP packet in accordance with those rules at 
step 440. Then, the reconstructed packet will be delivered to the site of the 
destination address at 450 with the procedure ending at step 455. 

Figure 5 illustrates graphically the life cycle of the data packet sent between 
two members of the same VPN group. The data packet origiiuites from a source 500 

10 and propagates from the sources she through its associated router to generate IP data 
packet 510. The dau packet 5 1 0 is not intended to illustrate all the fields associated 
with a complete IP data packet, but shows the relevant portions for this discussion 
which include the destination address, source address and the payload information of 
the packet The data packet 5 10 is then examined by the VPN unit which determines 

1 5 whether the data packet is traffic between members of an identified VPN group. The 
VPN unit 520 processes the packet in accordance with the packet processing 
procedures described above with respect to Figure 3 with the resulting packet being 
illustrated as packet 530. Packet 530 still identifies the destination and source 
addresses of the data packet, but the remainder of the packet is encrypted, and 

20 optionally compressed. 

Following processing by the outbound VPNU, the data packet is propagated 
through the Internet to 550 with the destination and source information identifying to 
the associated routers of the Internet the path by which the packet should ultimately 
lake to reach its destination. The packet emerges from the Internet at the edge of the 

25 destination site as data packet 540 which is essentially identical to the data packet 
530. The packet is "deprocessed" by the receiving VPN unit 550 which restores the 
original packet into its form 560 for delivery to the ultimate destination through the 
receiving site's associated router at destination 570. 

As was described above, the present invention approach to virtual private 

30 networks supports not only optional compression of data packets, but encryption and 
authentication techniques as well. One emerging standard for key management in 
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connection with Internet Protocol data transfers with authentication is referred to as 
simple key management for Internet Protocol (SKIP) which is described by US Patent 
5,588,060 assigned to Sui Microsystems, Inc. of Mountain View, CA. Authenticated 
data transfers using SKIP sappon a mode of data transfer referred to as tunnel mode. 
5 The above described data transfer with respect to Figure 5 illustrates a transport mode 
of operation in which the data and source addresses are exposed as the data packet 
traverses the Internet. In tunnel mode, an added measure of security may be provided 
by encapsulating the entire data packet in another packet wiiich identifies the source 
and destination addresses only for the VPN units. This conceals the ultimate source 

1 0 and destination addresses in transit. 

Figure 6 illustrates the life cycle of a data packet being propagated from a 
source 600 to a destination 670 utilizing tunnel mode. In this mode of operation, the 
data packet 610 is processed by outbound VPNU 620 which generates a resulting 
packet 630. The resulting packet 630 encrypts and compresses (optionally) not only 

1 5 the data pay load of the packet, but the destination and source addresses of the 
endstations as well. The encapsulated packet is then provided with an additional 
header that identifies that the source of the packet is the outbound VPNU 620 and that 
the destination is the inbound VPNU 650. Thus, the packet 640 which emerges from 
the Internet is identical to the packet 630 with respect to its source and address 

20 information and encapsulated payload. The packet is decomposed by the inbound 

VPNU 650 to reconstruct the original data packet at 660 for delivery to the destination 
670. 

The overall architecture of the present invention is robust. It allows end users 
the convenience of proprietary data communications to take place over a public 

25 network space such as the Internet. The architecture of the present invention also 
allows a wide variety of compression, encryption and authentication technologies to 
be implemented, so long as the VPN units at each end of the transaction support the 
associated protocols. The present invention is also enable of working in concert with 
uaditional Internet security mechanisms such as corporate firewalls. A firewall might 

30 operate in series with the VPN unit at a given site, or, intelligently be configured in a 
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single box with the VPN unit to provide parallel firewall and VPN unit security 
functions. 

There has thus been described a protocol and architecture for implementing 
virtual private networks for using a public networic space for secure private network 
5 data communications. Although the present mvention has been described with respect 
to certain exemplary and implemented embodiments, it should be understood that 
those of ordinary skill in the art will readily ^ypreciate various alternatives to the 
present invention. Accordingly, the spirit and scope of the present invention should 
be measured by the temis of the claims \Adch follow. 
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CLAIMS 

What is claimed is: 

1 1. A meAod for sending a data packet from a first member of a virtual 

2 private network to a second member of said virtual private network comprising the 

3 steps of: 

4 receiving said data packet enroute to said second member; 

5 deteimining that said data packet is being sent between members of * 

6 said virtual private network; 

7 determining the packet manipulation rules for packets sent between 

8 members of said virtual private network; 

9 forming a secure data packet hy executing said packet manipulation 
1 0 rules on said data packet; and 

^ 1 forwarding said secure data packet to said second member of said 

1 2 virtual private network. 

1 2. The method according to claim 1 wherein said step of determining that 

2 said data packet is being sent between members of said virtual private network 

3 comprises the step of comparing the source and destination addresses of the data 

4 packet to addresses stored in a virtual private network address table. 

1 3 The method according to claim I i^erein said step of determining the 

2 packet manipulation rules comprises the step of accessing a lookup table that 

3 maintains information identifying compression, encryption and authentication 

4 algorithms to be utilized for data packets sent between members of the virtual private 

5 network. 

1 4. The method according to claim 3 wherein said step of forming a secure 

2 data packet comprises the steps of: 

encrypting at least a payload portion of the data packet according to the 

4 identified encryption algorithm; and 

^ providing authentication information for the data packet according to 

6 the identified authentication algorithm. 
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2 
3 



1 5. The method according to claim 4 wherem said step of fo^^ 

2 datapacketfurthercomi«ises the stq, of compressing 

3 packet according to the compression algorithm identified. 

1 6. The method according to claim 5 wherein said compressing step occurs 

2 prior to said encrypting step. 

I 7. The method according to daim 3 wherein said formmg a secure dau 

packet includes the step of concealing the source and desUnation addresses of the data 
packet according to the identified packet manipulation rules. 

1 8. A method for recovering an origmal data packet from a secure data 

2 packet sent between memben of a virtual private network comprising the steps of: 
^ receiving said secure data packet; 

determining the packet manipulation rules for packets sent between 
5 members of said virtual private network; 
6 
7 
8 

1 9. 



4 



recovering the origmal data packet by manipulating the secure data 
packet by reversing the identified packet manipulation rules; and 

forwarding the recovered data packet to its destination. 
The method accordmg to claim 8 wherein said step of determining the 
packet manipulation rules comprises the step of accessing a lookup table that 
maintains infommtion identifymg compression, encryption and authentication 
algorithms to be utUized for data packets sent between members of the virtual private 



4 

5 network. 
1 10 



Tht method according to claim 9 wherein said recovering step includes 
2 the step of recovering the source and destinaUon addresses of the origmal data packet 
J when they have been concealed. 

1 11. Amethodforsecurelyexchangingdatapacketsbymembersofa 

virtual private networic comprismg the steps of: 

generating a first data packet which includes a source address, a 
destination address and a data payload portion; 

transmitting said first daui packet toward the destination address: 
intercepting said first data packet em-oute to said destmation address; 
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7 verifying that said first data packet is being sent between members of a 

8 virtual private network group: 

9 determining the packet manipulation rules for packets sent between 

10 members of said v&tual private netwoxk gro\xp; 

1 1 generating a second data packet by performing said packet 

1 2 manipulation rules on said first data packet; 

13 forwarding said second data packet toward said destination address; 

1 4 receiving said second data packet; 

1 5 verifying that said second data packet is being sent between members 

1 6 of said virtual private network groiq); 

1 7 detemiining the packet manipulation rules for packets sent between 

18 members of said virtual private networic group; 

19 generating a third packet by reversing the identified packet 

20 manipulation rules, said third packet including said data payload portion; and 

2 1 delivering said third data packet to said destination address. 

1 12. The method according to claim 1 1 wherein said second packet conceals 

2 said source and destination addresses. 

1 13. The method according to claim 1 1 wherein said step of generating a 

2 third packet includes the step of recovering said source and destination addresses for 

3 inclusion in said third packet. 



1 1 4 . A system for securely exchanging data padcets between members of a 

2 virtual private network group comprising: v. 

3 a first computer at a first site, said first computer having a first network 

4 address: 

3 a first router associated with said first site for routing data packets 

6 originating from said fust computer over a public network; 

7 a first virtual private network unit disposed between said router and 

8 said public networic, said first virtual public network unit for identifying virtual 

9 private network group data traffic and for securing said data traffic by manipulating 

1 0 said data traffic according to packet manipulation rules maintained by said virtual 

1 1 private network unit; 
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12. a second router associated with a second site for coupling said second 

13 site to the public network; 

14 a second virtual private network unit di^sed between said second 

1 5 router and the public network for intercepting network trafiSc destined for said second 

1 6 site, said second virtual public network unit for detecting virtual private network 

1 7 group traffic and for recovering original packet data; and 

IS a second computer at said second site, said second computer having a 

1 9 second network address for receiving said packet data. 

1 IS. The system, of claim 1 4 wherein said first and second virtual private 

2 network units include means for verifying that said first and second network addresseis 

3 are both members of said virtual private network group. 

1 1 6. The system of claim 1 S herein said first and second virtual private 

2 network units each have an associated network addresses, said network traffic 

3 utilizing the virtual private network addresses to conceal the identity of the first and 

4 second network addresses. 
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FIG. 4 
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FIG. 5 
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